You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: readme.md
+24-17Lines changed: 24 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,9 +7,12 @@ This module will enhance your ColdBox applications by providing out of the box s
7
7
- A security rule engine for incoming requests
8
8
- Annotation driven security for handlers and actions
9
9
- JWT (Json Web Tokens) generator, decoder and authentication services
10
-
- Pluggable with any Authentication service or can leverage [cbauth](https://github.com/elpete/cbauth)
10
+
- Pluggable with any Authentication service or can leverage [cbauth](https://github.com/elpete/cbauth) by default
11
+
- Capability to distinguish between invalid authentication and invalid authorization and determine an outcome of the process.
12
+
- Ability to load/unload security rules from contributing modules. So you can create a nice HMVC hierarchy of security.
13
+
- Ability for each module to define it's own `validator`
11
14
12
-
The module also has the capability to distinguish between invalid authentication and invalid authorization and determine an outcome of the process. The module also supports the ability to load/unload security rules from contributing modules. So you can create a nice HMVC hierarchy of security.
15
+
Welcome to SecureLand!
13
16
14
17
## License
15
18
@@ -85,14 +88,11 @@ cbsecurity = {
85
88
// JWT Settings
86
89
"jwt": {
87
90
// The jwt secret encoding key, defaults to getSystemEnv( "JWT_SECRET", "" )
88
-
"secretKey":"",
89
-
91
+
"secretKey":getSystemSetting( "JWT_SECRET", "" ),
90
92
// by default it uses the authorization bearer header, but you can also pass a custom one as well.
// The default expiration for refresh tokens, defaults to 30 days
@@ -122,11 +122,11 @@ cbsecurity = {
122
122
123
123
## Usage
124
124
125
-
Using the default configuration, this module will register the `Security` interceptor automatically for you according to the settings (`cbsecurity.interceptor.Security`).
125
+
Using the default configuration, this module will register the `Security` interceptor automatically for you according to the settings shown above and using the interceptor => (`cbsecurity.interceptor.Security`).
126
126
127
127
> **Info** You can deactivate this and load as a manual interceptor via the `autoLoadFirewall` setting.
128
128
129
-
The interceptor will intercept all calls to your application via the `preProcess()` interception point. Each request will then be validated against any registered security rules and then validated against any handler/action security annotations (if active).
129
+
The interceptor will intercept all calls to your application via the `preProcess()` interception point. Each request will then be validated against any registered security rules and then validated against any handler/action security annotations (if active) via a Security Validator. Also, if the request is made to a module, each module has the capability to have it's own separate validator apart from the global one.
130
130
131
131
> **Info** You can deactive annotation driven security via the `handlerAnnotationSecurity` setting.
132
132
@@ -136,7 +136,7 @@ How does the interceptor know a user doesn't have access? Well, here is where yo
136
136
137
137
> **Info** You can find an interface for these methods in `cbsecurity.interfaces.ISecurityValidator`
138
138
139
-
The validator's job is to tell back to the firewall if they are allowed access and if they don't, what type of validation they broke: authentication or authorization.
139
+
The validator's job is to tell back to the firewall if they are allowed access and if they don't, what type of validation they broke: **authentication** or **authorization**.
140
140
141
141
> `Authentication` is when a user is NOT logged in
142
142
@@ -191,7 +191,7 @@ rules = [
191
191
192
192
### Global Rules
193
193
194
-
The global rules come from the `config/Coldbox.cfc`
194
+
The global rules come from the `config/Coldbox.cfc` and they are defined within the `cbsecurity` module setting.
195
195
196
196
```js
197
197
// Module Settings
@@ -261,8 +261,14 @@ settings = {
261
261
cbsecurity = {
262
262
// Module Relocation when an invalid access is detected, instead of each rule declaring one.
263
263
"invalidAuthenticationEvent":"mod1:secure.index",
264
+
// Default Auhtentication Action: override or redirect when a user has not logged in
265
+
"defaultAuthenticationAction":"override",
264
266
// Module override event when an invalid access is detected, instead of each rule declaring one.
265
267
"invalidAuthorizationEvent":"mod1:secure.auth",
268
+
// Default Authorization Action: override or redirect when a user does not have enough permissions to access something
269
+
"defaultAuthorizationAction":"override",
270
+
// Custom validator for the module.
271
+
"validator":"jwtService@cbsecurity"
266
272
// You can define your security rules here or externally via a source
267
273
"rules": [
268
274
{
@@ -345,23 +351,25 @@ Now that we have seen security rules and also security annotations let's see how
345
351
* This function is called once an incoming event matches a security rule.
346
352
* You will receive the security rule that matched and an instance of the ColdBox controller.
347
353
*
348
-
* You must return a struct with two keys:
354
+
* You must return a struct with the following keys:
349
355
* - allow:boolean True, user can continue access, false, invalid access actions will ensue
350
356
* - type:string(authentication|authorization) The type of block that ocurred. Either an authentication or an authorization issue.
var results = { "allow":false, "type":"authentication" };
394
+
var results = { "allow":false, "type":"authentication", "messages":"" };
386
395
var user =security.getCurrentUser();
387
396
388
397
// First check if user has been authenticated.
@@ -416,7 +425,6 @@ You will receive the following data in the `interceptData` struct:
416
425
-`annotationType` : The annotation type intercepted, `handler` or `action` or empty if rule driven
417
426
-`processActions` : A boolean indicator that defaults to true. If you change this to false, then the interceptor won't fire the invalid actions. Usually this means, you manually will do them.
418
427
419
-
420
428
## Security Visualizer
421
429
422
430
This module also ships with a security visualizer that will document all your security rules and your settings in a nice panel. In order to activate it you must add the `enableSecurityVisualizer` setting to your config and mark it as `true`. Once enabled you can navigate to: `/cbsecurity` and you will be presentd with the visualizer.
@@ -425,7 +433,6 @@ This module also ships with a security visualizer that will document all your se
0 commit comments